Hi, I did some quick testing, it`s a little old on updates, but working.
I apologize for my bad english. I have removed timestamps from logs. -PF server version: 11.0.0 -Unifi Controller: 6.5.55 on Debian -UAP/AP Model: UAP-AC-Pro -UAP/AP Firmware: 6.6.55.15189 -Switch config on PF: IP ADDRESS: "UAP_ip_address" MAC ADDRESS: 18:e8:29:66:XX:XX Type: Ubiquiti:Unifi Deauthentication Method: RADIUS Use CoA: Yes Radius, secret Passohrase: "your_passphrase" Roles by VLAN ID as needed -SSID: "regtest", MAC-AUTH, radius assigned VLAN. -Client Device: Windows 10 Laptop MAC address: f8:59:71:c4:XX:XX -Client connects first, as unreg condition and no role: -Not registered, placed in reg vlan: pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: [mac:f8:59:71:c4:XX:XX] handling radius autz request: from switch_ip => (192.168.96.XX), connection_type => Wireless-802.11-NoEAP,switch_mac => (18:e8:29:67:XX:XX), mac => [f8:59:71:c4:XX:XX], port => 0, username => "f8:59:71:c4:XX:XX", ssid => regtest (pf::radius::authorize) pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: [mac:f8:59:71:c4:XX:XX] Instantiate profile IBERA-TEST (pf::Connection::ProfileFactory:_from_profile) pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: [mac:f8:59:71:c4:XX:XX] is of status unreg; belongs into registration VLAN (pf::role::getRegistrationRole) pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: [mac:f8:59:71:c4:XX:XX] (192.168.96.XX) Added VLAN 102 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) -Client proceeds with portal auth, is registered and placed in "guest" vlan: pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: [mac:f8:59:71:c4:XX:XX] Username was defined "f8:59:71:c4:XX:XX" - returning role 'guest' (pf::role::getRegisteredRole) pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: [mac:f8:59:71:c4:XX:XX] PID: "default", Status: reg Returned VLAN: (undefined), Role: guest (pf::role::fetchRoleForNode) pf packetfence_httpd.aaa[1279776]: httpd.aaa(2354) INFO: [mac:f8:59:71:c4:XX:XX] (192.168.96.XX) Added VLAN 100 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) I'm not sure, but i think CoA is implemented on AP firmware, as on a UAP/AP "running config": aaa.radius.dad.status=enabled aaa.radius.dad.port=3799 aaa.1.radius.das.status=enabled aaa.1.radius.das.port=3801 aaa.1.radius.dad.status=enabled As UNIFI is not supporting the old UI anymore, and, in the new UI CoA is not implemented, I think is possible to provision UAPs via config text file on controller side, but have not tested: https://gist.github.com/modest/d6ffb2cdd5e38b213f24c29be38e3b1d Not sure if this is possible on new controller versions, as I'm a little behind on that. But CoA is working on this test env: firmware/versions ecosystem. Or maybe on new Unifi network software, CoA is enabled when Radius profile is created? PF side: (7) Disconnect-Request Id 1 ens192:10.100.0.2:46904 -> 192.168.96.XX:3799 +10.748 Calling-Station-Id = "F8-59-71-C4-56-3F" NAS-Identifier = "18e829677602" Authenticator-Field = 0x776e35f33d6376547f3c57e46402ea49 (9) Disconnect-ACK Id 1 ens192:10.100.0.2:46904 <- 192.168.96.XX:3799 +10.764 +0.016 Event-Timestamp = "Feb 22 2024 19:11:43 -03" Message-Authenticator = 0xa5a19f1c4f9c253ca6bfce2033d74a3c Authenticator-Field = 0x5384dccc7ce36e404d3ea859b818793b UAP side: IP pf.your-server.com.ar.53203 > 192.168.96.XX.3799: RADIUS, Disconnect-Request (40), id: 0x7d length: 53 IP pf.your-server.com.ar.53203 > 192.168.96.XX.3799: RADIUS, Disconnect-Request (40), id: 0x7d length: 53 IP 192.168.96.XX.3799 > pf.your-server.com.ar.53203: RADIUS, Disconnect-ACK (41), id: 0x7d length: 44 IP pf.your-server.com.ar.50594 > 192.168.96.XX.3799: RADIUS, Disconnect-Request (40), id: 0x72 length: 53 IP pf.your-server.com.ar.50594 > 192.168.96.XX.3799: RADIUS, Disconnect-Request (40), id: 0x72 length: 53 IP 192.168.96.XX.3799 > pf.your-server.com.ar.50594: RADIUS, Disconnect-ACK (41), id: 0x72 length: 44 IP 192.168.96.XX.3799 > pf.your-server.com.ar.50594: RADIUS, Disconnect-ACK (41), id: 0x72 length: 44 I will be out for a few weeks, but i'm glad to help on integrating Unifi and Mikrotik with PF, and keep support alive. I also have spare HW, to perform some testing, maybe I could get an U6 new gen Unifi UAP or a Mikrotik CAP AX too. I can also spare some cloud resources to run new PF versions along with new UNIFI/MIKROTIK software. Enrique El vie, 16 feb 2024 a las 23:44, Lucas Guimaraes (<lucas.guimar...@kavak.com>) escribió: > Hi Enrique, > > Yes, switching to the legacy interface, we can see the Radius CoA (Beta > for ages hehehe) in the SSID as soon as you enable the Radius option. > However, even if you enable this feature on Unifi Controller, the issue > "Can't login on the Unifi controller: 404 Not Found '' is still there. > Consequently, the device which is trying to go out to the internet is still > stuck inside of the portal. > > In other words, even with CoA on from Unifi, the deauthentication doesn't > work. At that point, pf tries to send a command to the Unifi Controller but > it doesn't respond. > > Also, I've tried to do with all the methods of deauthentication in pf > available instead and none of them has worked either with the latest > firmware stable in Unifi Controller or Network software. I was putting my > faith in Radius deauthentication in pf to see if that works too with web > auth enabled as we know Radius works in Unifi but it still shows the same > error yet. > > It's kind frustrating tbh :/ > > I hope someday any dev from pf / unifi could help us with that. > > I think many people are looking forward to that ^^ > > On Fri, 16 Feb 2024, 08:17 Enrique Gross via PacketFence-users, < > packetfence-users@lists.sourceforge.net> wrote: > >> Hi Mike, Hi Lucas >> >> I have read somewhere that there were issues with web authentication >> and Unifi appliances like UDM. I remember configuring web auth but I >> now use RADIUS CoA and it works well. I admit I'm a few versions >> behind on my Unifi controller, and this double UI issue is kind of a >> headache. But the CoA option is still there on the UI on Unifi >> controller 8.X when you switch to the old one, does the config don't >> provision anymore? >> >> Enrique >> >> >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > > > > > AVISO DE CONFIDENCIALIDAD > Este mensaje de correo electrónico y sus adjuntos pueden contener > información confidencial o legalmente privilegiada y está destinado > únicamente al uso de los destinatarios. Esta prohibido a las personas o > entidades que no sean los destinatarios de este correo cualquier tipo de > modificación, copia, distribución, divulgación, retención o uso de la > información que contiene. La divulgación no autorizada, difusión, > distribución, copia o la adopción de cualquier acción basada en la > información aquí contenida, está prohibida. No puede garantizarse que los > correos electrónicos estén libres de errores, ya que pueden ser interceptados, > enmendados o contener virus. Cualquier persona que se comunique con > nosotros por correo electrónico se considera que ha aceptado estos riesgos. > El Propietario de los datos no se hace responsable de errores u omisiones > en este mensaje y niega cualquier responsabilidad por cualquier daño que > surja del uso del correo electrónico y no se responsabiliza por su uso > abusivo, contrario a la moral, a las buenas costumbres o a la ley, o > realizado fuera de las competencias laborales del autor del mail. > CONFIDENTIALITY NOTICE > This e-mail message and any attachments may contain confidential or > legally privileged information and is intended only for the use of the > intended recipient(s). Any unauthorized disclosure, dissemination, > distribution, copying or any action in reliance on the information herein > is prohibited. It is prohibited to persons or entities that are not the > recipient(s) of this email any modification, copying, distribution, > disclosure, retention or use of the information contained therein. E-mails > are not secure and cannot be guaranteed to be error free as they can be > intercepted, amended, or contain viruses. Anyone who communicates with us > by e-mail is deemed to have accepted these risks. The Data Owner is not > responsible for errors or omissions in this message and denies any > responsibility for any damage arising from the use of e-mail. Any opinion > and other statement contained in this message and any attachment are solely > those of the author and do not necessarily represent those of the company. > -- [image: Imágenes integradas 1]
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
